The media company “dodged a major bullet,” Chris Vickery, who’s director of CyberRisk Research at UpGuard, tells me. “There’s no limit on the amount of harm that could have been done….Somebody cut a corner somewhere.”

Indeed, he adds, “if a bad guy had found this, it could have been catastrophic and brand-ending. You could have done anything you wanted with Viacom.”

He noticed a potential problem on August 30, and told Viacom the next day. It secured the data “within hours,” UpGuard says.

Viacom says that the exposure involved “technical information, but no employee or customer information.” The company adds that it “rectified the issue” and, after analyzing the data, “determined there was no material impact.”

But UpGuard says there’s no way to know whether a bad actor accessed the data.

Hackers and other outsiders would have been able to tap “either the primary or backup configuration of Viacom’s IT infrastructure” which was being moved to Amazon Web Services’ cloud — including “Viacom’s access key and secret key for the corporation’s AWS account.”

That might have led to “phishing schemes, using the corporation’s brand recognition to trick consumers into furnishing their personal details,” UpGuard says. “The exposure of secret access keys to Viacom’s AWS account, as well as the control of the company’s server configurations and manifests, could also have allowed malicious actors to spin off additional servers to use Viacom IT systems as a botnet.”

The firm says that this is one more example of a “pervasive level of cyber risk” at media companies that “has not yet been met with commensurate cyber resilience across the board.”